Software Links
Getting Started
- Doc Structure
- A Globus Primer
- Globus Is Modular!
- Quickstart
- Installing GT
- Platform Notes
- GT Developer's Guide
- GT User's Guide (coming soon)
- Migrating from GT2
- Migrating from GT3
Reference
- Best Practices
- Coding Guidelines
- API docs
- Public Interfaces (coming soon)
- Resource Properties
- Samples
- Glossary
- Performance Studies (coming soon)
Manuals
Common Runtime
Security
- Non-WS (General) Security
- WS Java Security
- Message-level
- Authz Framework
- CAS
- Delegation Service
- MyProxy
- GSI-OpenSSH
- SimpleCA
- SGAS
Data Mgt
MDS4
Execution Mgt
Table of Contents
Configuration on the server side is done using Section 1, “Security Descriptors Introduction”. Custom authorization mechanisms can be written and used as a part of the GT frameework. The next section describes the steps involved.
On the client side, in addition to security descriptor, properties on the stub can be sed to configure security properties. Properties and values are described in detail in the next section.
The property to use depends on the authentication scheme:
If GSI Secure Transport or GSI Secure Conversation is used, the
org.globus.axis.gsi.GSIConstants.GSI_AUTHORIZATIONproperty must be set on the stub. The value of this property must be an instance of an object that extends fromorg.globus.gsi.gssapi.auth.GSSAuthorization. All distributed authorization schemes have implementation inorg.globus.gsi.gssapi.authpackage.For all other authentication schemes, the
org.globus.wsrf.impl.security.Constants.AUTHORIZATIONproperty must be set on the stub. The value of this property must be an instance of an object that implements theorg.globus.wsrf.impl.security.authorization.Authorizationinterface.Example:
// Create endpoint reference EndpointReferenceType endpoint = new EndpointReferenceType(); // Set address of service String counterAddr = "http://localhost:8080/wsrf/services/CounterService"; // Get handle to stub object CounterPortType port = locator.getCounterPortTypePort(endpoint); // set client authorization to self ((Stub)port)._setProperty(Constants.AUTHORIZATION, SelfAuthorization.getInstance());
Other than the distributed client authorization scheme, custom client-side authorization schemes can be written and can be set as value for appropriate property on the stub.
![[Note]](/docbook-images/note.gif) | Note |
|---|---|
Security descriptors cannot be used to configure custom authorization schemes on client side. |
If the authentication scheme to be used is GSI Secure Transport or GSI Secure Conversation, the custom authorization scheme should extend from extends from
org.globus.gsi.gssapi.auth.GSSAuthorization.public class TestAuthorization extends GSSAuthorization { // Provide some way to instantiate this class. Can use constructor // with arguments to pass in parameters. public TestAuthorization() { } public GSSName getExpectedName(GSSCredential cred, String host) throws GSSException { // Return the expected GSSName of the remote entity. } public void authorize(GSSContext context, String host) throws AuthorizationException { // Perform the authorization steps. // context.getSrcName() provides the local GSSName // context.getTargName() provides the remote GSSName // if authorization fails, throw AuthorizationException } }The following describes the steps done for client side authorization during context establishment:
Prior to initialization of context establishment the relevant handler (HTTPSSender in case of GSI Secure Transport or SecContextHandler in case of GSI Secure Conversation), invokes getExpectedName on the instance of GSSAuthorization set on the Stub.
During context establishment, if the expected target name from previous step is not null, it is compared with the remote peer's GSSName. If it is not a match, context establishment is abandoned and an error is thrown.
If the expected target name is null, then a match is not done, unless the option of delegation is used. That is, if GSI Secure Conversation with delegation is used, then the expected target name cannot be null and must match the remote peer's identity.
Once the context has been established, the authorize method is invoked.
Note Client authorization is done prior to invocation.
To configure the custom authorization scheme:
((Stub)port)._setProperty(GSIConstants.GSI_AUTHORIZATION, new TestAuthorization());Various authorization scheme implementations in package
org.globus.gsi.gssapi.authwould serve as examples. View CVS LinkFor all authentication schemes other than those in previous step the
org.globus.wsrf.impl.security.Constants.AUTHORIZATIONproperty must be set on the stub. The value of this property must be an instance of an object that implements theorg.globus.wsrf.impl.security.authorization.Authorizationinterface.public class TestAuthorization implements Authorization { // Provide some way to instantiate this class. Can use constructor // with arguments to pass in parameters. public TestAuthorization() { } public GSSName getName(MessageContext ctx) throws GSSException { // Return the expected GSSName of the remote entity. } void authorize(Subject peerSubject, MessageContext context) throws AuthorizationException { // Perform the authorization steps. // peerSubject provides the remote Subject // Use SecurityManager API to get local Subject // if authorization fails, throw AuthorizationException } }The following describes the steps done for client side authorization:
The client side handler WSSecurityClientHandler, invokes authorize method on the authorization instance.
Note Client authorization is done after the invocation.
To configure the custom authorization scheme:
((Stub)port)._setProperty(Constants.AUTHORIZATION, new TestAuthorization());Various authorization scheme implementations in package
org.globus.wsrf.impl.security.authorizationwould serve as examples. View CVS Link.
The server side authorization framework can be configured to use a custom authorization interceptors, bootstrap PIP, PIP and PDP. Detailed information on writing custom PDPs can be found in GT Java Authorization Framework. Also, the section Section 3, “Migrating from GT 4.1.0” describes migrating from older PDP/PIP implementations.
For example, a custom PDP must implement the interface org.globus.security.authorization.PDP.
Example:
package org.foobar;
import ....;
public class FooPDP implements PDP
{
private Principal authorizedIdentity;
public Decision canAccess(RequestEntity requestEntity,
NonRequestEntity nonRequestEntity)
throws AuthorizationException {
// process and return decision
}
public Decision canAdminister(RequestEntity requestEntity,
NonRequestEntity nonRequestEntity)
throws AuthorizationException {
// process and return decision
}
}
To use the above PDP one would configure a service security descriptor with the following authorization settings:
<securityConfig xmlns="http://www.globus.org"> ... <authz value="foo1:org.foobar.FooPDP"/> ... <securityConfig/>
This security descriptor (identified as /.../foo-pdp-security-config.xml below) can then be used by a service. The association is created by adding a couple of parameters to the service's WSDD entry:
...
<service name="MyDummyService"
provider="Handler"
style="document">
...
<parameter name="securityDescriptor"
value="/.../foo-pdp-security-config.xml"/>
<parameter name="foo1-authorizedIdentity"
value="/DC=org/DC=doe/OU=People/CN=John D"/>
...
</service>Note that the parameter <parameter>foo1-authorizedIdentity</parameter> in the above configures the identity the PDP uses for authorizing incoming requests. The parameter name is derived by composing the prefix (<parameter>foo1</parameter>) used when specifying the PDP in the security descriptor with the property (<parameter>authorizedIdentity</parameter>) used in the PDP code.